diff options
Diffstat (limited to 'emailwiz.sh')
| -rwxr-xr-x | emailwiz.sh | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/emailwiz.sh b/emailwiz.sh index f05d8ef..22b6b84 100755 --- a/emailwiz.sh +++ b/emailwiz.sh @@ -42,7 +42,9 @@ subdom=${MAIL_SUBDOM:-mail} maildomain="$subdom.$domain" certdir="/etc/letsencrypt/live/$maildomain" -[ ! -d "$certdir" ] && echo "Note! You must first have a HTTPS/SSL Certificate for $maildomain. +[ ! -d "$certdir" ] && certdir="$(dirname "$(certbot certificates 2>/dev/null | grep "$maildomain" -A 2 | awk '/Certificate Path/ {print $3}')")" + +[ ! -d "$certdir" ] && echo "Note! You must first have a Let's Encrypt Certbot HTTPS/SSL Certificate for $maildomain. Use Let's Encrypt's Certbot to get that and then rerun this script. @@ -64,6 +66,15 @@ postconf -e "smtpd_use_tls = yes" postconf -e "smtpd_tls_auth_only = yes" postconf -e "smtp_tls_security_level = may" postconf -e "smtp_tls_loglevel = 1" +postconf -e "smtp_tls_CAfile=$certdir/cert.pem" +postconf -e "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "tls_preempt_cipherlist = yes" +postconf -e "smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, + DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, + RSA+AES, eNULL" # Here we tell Postfix to look to Dovecot for authenticating users/passwords. # Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth @@ -125,9 +136,13 @@ echo "# Dovecot config ssl = required ssl_cert = <$certdir/fullchain.pem ssl_key = <$certdir/privkey.pem +ssl_min_protocol = TLSv1.2 +ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH +ssl_prefer_server_ciphers = yes ssl_dh = </usr/share/dovecot/dh.pem # Plaintext login. This is safe and easy thanks to SSL. auth_mechanisms = plain login +auth_username_format = %n protocols = \$protocols imap @@ -251,7 +266,7 @@ sed -i '/^#Canonicalization/s/simple/relaxed\/simple/' /etc/opendkim.conf sed -i '/^#Canonicalization/s/^#//' /etc/opendkim.conf sed -e '/Socket/s/^#*/#/' -i /etc/opendkim.conf -sed -i '/\local:\/var\/run\/opendkim\/opendkim.sock/a \Socket\t\t\tinet:12301@localhost' /etc/opendkim.conf +grep -q "^Socket\s*inet:12301@localhost" /etc/opendkim.conf || echo "Socket inet:12301@localhost" >> /etc/opendkim.conf # OpenDKIM daemon settings, removing previously activated socket. sed -i "/^SOCKET/d" /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim @@ -284,7 +299,6 @@ $dmarcentry $spfentry" > "$HOME/dns_emailwizard" echo " - _ _ | \ | | _____ ___ | \| |/ _ \ \ /\ / (_) |